Search Results (2195 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2013-0334 4 Bundler, Fedoraproject, Opensuse and 1 more 4 Bundler, Fedora, Opensuse and 1 more 2025-04-12 N/A
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
CVE-2014-3623 2 Apache, Redhat 8 Cxf, Wss4j, Jboss Amq and 5 more 2025-04-12 N/A
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
CVE-2015-1798 2 Ntp, Redhat 2 Ntp, Enterprise Linux 2025-04-12 N/A
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.
CVE-2016-3739 1 Haxx 1 Curl 2025-04-12 N/A
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
CVE-2014-6439 1 Elasticsearch 1 Elasticsearch 2025-04-12 N/A
Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-3900 4 Oracle, Redhat, Ruby-lang and 1 more 5 Solaris, Enterprise Linux, Rhel Software Collections and 2 more 2025-04-12 N/A
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
CVE-2015-4674 1 Timedoctor 1 Timedoctor 2025-04-12 N/A
The autoupdate implementation in TimeDoctor Pro 1.4.72.3 on Windows relies on unsigned installer files that are retrieved without use of SSL, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted file.
CVE-2015-1848 2 Fedora, Redhat 6 Pacemaker Configuration System, Enterprise Linux, Enterprise Linux High Availability and 3 more 2025-04-12 N/A
The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag.
CVE-2016-3677 1 Huawei 2 Hilink App, Wear App 2025-04-12 N/A
The Huawei Wear App application before 15.0.0.307 for Android does not validate SSL certificates, which allows local users to have unspecified impact via unknown vectors, aka HWPSIRT-2016-03008.
CVE-2016-3983 1 Mcafee 1 Advanced Threat Defense 2025-04-12 N/A
McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process.
CVE-2016-1731 1 Apple 1 Software Update 2025-04-12 N/A
Apple Software Update before 2.2 on Windows does not use HTTPS, which makes it easier for man-in-the-middle attackers to spoof updates by modifying the client-server data stream.
CVE-2014-1502 5 Mozilla, Opensuse, Opensuse Project and 2 more 8 Firefox, Seamonkey, Opensuse and 5 more 2025-04-12 N/A
The (1) WebGL.compressedTexImage2D and (2) WebGL.compressedTexSubImage2D functions in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 allow remote attackers to bypass the Same Origin Policy and render content in a different domain via unspecified vectors.
CVE-2015-6853 1 Broadcom 1 Single Sign-on 2025-04-12 N/A
The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows remote attackers to cause a denial of service (daemon crash) or obtain sensitive information via a crafted request.
CVE-2014-1498 5 Mozilla, Opensuse, Opensuse Project and 2 more 8 Firefox, Seamonkey, Opensuse and 5 more 2025-04-12 N/A
The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports the Elliptic Curve ec-dual-use algorithm.
CVE-2014-0034 2 Apache, Redhat 7 Cxf, Jboss Amq, Jboss Bpms and 4 more 2025-04-12 N/A
The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token.
CVE-2015-5296 4 Canonical, Debian, Redhat and 1 more 5 Ubuntu Linux, Debian Linux, Enterprise Linux and 2 more 2025-04-12 5.4 Medium
Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c.
CVE-2015-2908 1 Mobile Devices 1 C4 Obd-ii Dongle Firmware 2025-04-12 N/A
Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.
CVE-2015-8254 1 Rsi Video Technologies 1 Frontel Protocol 2025-04-12 N/A
The Frontel protocol before 3 on RSI Video Technologies Videofied devices does not use integrity protection, which makes it easier for man-in-the-middle attackers to (1) initiate a false alarm or (2) deactivate an alarm by modifying the client-server data stream.
CVE-2014-2718 2 Asus, T-mobile 10 Rt-ac56r, Rt-ac66r, Rt-ac66u and 7 more 2025-04-12 N/A
ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image.
CVE-2015-2704 2 Realmd Project, Redhat 2 Realmd, Enterprise Linux 2025-04-12 N/A
realmd allows remote attackers to inject arbitrary configurations in to sssd.conf and smb.conf via a newline character in an LDAP response.